Network Computingwww.networkcomputing.com

Version 4.8 of the software brings more redundancy to the system via a backup interface. It also adds NAT (Network Address Translation) for protected client IP addresses. The software includes an additional integration feature: Circuitless IP (CLIP). Used primarily for load balancing, CLIP assigns a single IP to one or more Contivity interfaces.

Nortel has increased client protection in this version with Firewall User Authentication (FWUA), which forces users on the protected side of a Contivity device to authenticate prior to accessing the VPN. Additional client protection comes from Tunnel Guard, which dynamically ensures that required applications, such as Web virus scanners or firewalls, are running prior to admission to the VPN.

Contivity 5000 click to enlarge

Since version 4.0 of the software, the Contivity has supported network failover using VRRP (Virtual Routing Redundancy Protocol) and OSPF. Although these protocols are useful, not all environments need the VPN to participate in OSPF, and VRRP is really for interface failover. In most situations, BIS (Backup Interface Services), which is included in the software I tested, can fail over network paths and VPNs regardless of network installation.

BIS should detect failed tunnels via route advertisements, pings and interface status (see "Backup Interface Services" diagram). You can define any IP address ping against the next hop router or any device in the path. I tested this by pinging a peer Contivity 600: My primary path went out the 10.1.1.1 interface. I configured a downstate indicated as three pings with a five-second time-out between each ping attempt. I then disconnected the interface cable between the Contivity 600 and the switch. After the allotted 15 seconds, the Contivity 5000 initiated a new IPsec session to the alternate Contivity 600 interface. Once I reconnected the cable between the switch and the Contivity 600, the Contivity 5000 switched back to the primary interface. Of course, if your primary network path is going up and down, the BIS will be flapping back and forth as well. To minimize the flapping, you will need to adjust the timing parameters to smooth things out.

Backup Interface services click to enlarge

Firewall User Authentication is designed to work with traffic that is passing through the Contivity in the clear or when the Contivity has a LAN-to-LAN VPN established between sites, authenticates users via an SSL-protected Web page at the Contivity firewall. To test this, I configured the Contivity 5000 to require authentication for access. Then I created users in the local database. As a user I pulled up the Web page from the Contivity and authenticated and was allowed into the VPN as expected. Once properly authenticated, all user traffic passes from the client to the Contivity. Users who fail to authenticate will be denied access at the Contivity firewall.

Contivity has always provided centralized client management. TunnelGuard extends protection and configuration and metes it out to the Contivity VPN Client. Through TunnelGuard, the Contivity client checks a Software Requirement Set (SRS), guaranteeing that the required programs or DLLs are loaded and running. To ensure that required files have not been modified or trojaned, TunnelGuard computes a hash of the target file and compares it to the SRS.

The improvements in Contivity 5000 and version 4.8 software add value to an already robust product. The increased CPU speed and available memory should provide improved performance. Additionally, the enhanced protection features make a good product even better.

Mike Fratto is a senior technology editor based at our Syracuse University Real-World Labs®. Write to him at mfratto@nwc.com.

Post a comment or question on this story.